From: Yonghong Song <yonghong.song@linux.dev>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>,
bot+bpf-ci@kernel.org, bpf@vger.kernel.org
Cc: ast@kernel.org, andrii@kernel.org, daniel@iogearbox.net,
kernel-team@fb.com, martin.lau@kernel.org,
sashiko-bot@kernel.org, eddyz87@gmail.com, clm@meta.com,
ihor.solodrai@linux.dev
Subject: Re: [PATCH bpf-next 1/2] bpf: Validate outgoing stack args when btf_prepare_func_args fails
Date: Thu, 14 May 2026 18:38:21 -0700 [thread overview]
Message-ID: <ea3fc76a-42ca-41fb-a589-69bd13b09e03@linux.dev> (raw)
In-Reply-To: <DIISYMB87J47.2N64UTCAGDXFA@gmail.com>
On 5/15/26 1:53 AM, Alexei Starovoitov wrote:
> On Thu May 14, 2026 at 12:37 PM PDT, bot+bpf-ci wrote:
>>> commit 284cf62e75bd5632d61c528e48fe3f738870b269
>>> Author: Yonghong Song <yonghong.song@linux.dev>
>>>
>>> bpf: Validate outgoing stack args when btf_prepare_func_args fails
>>>
>>> btf_prepare_func_args() sets sub->arg_cnt before validating arg types.
>>> If validation fails (e.g. unsupported pointer type in a static subprog),
>>> check_outgoing_stack_args() is skipped because btf_check_func_arg_match()
>>> returns early. For static subprogs, check_func_call() ignores non-EFAULT
>>> errors and proceeds with the call.
>>>
>>> This causes the callee to read stack arg slots that the caller never
>>> stored or not initialized, potentially dereferencing NULL caller->stack_arg_regs
>>> or getting no-initialized value.
>>>
>>> To fix the issue, when btf_prepare_func_args() fails and the subprog expects
>>> stack args, call check_outgoing_stack_args() to verify the caller initialized
>>> the slots. Return -EFAULT on failure so the error is not ignored.
>>>
>>> Reported-by: Sashiko <sashiko-bot@kernel.org>
>>> Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
>> This looks like a bug fix for stack argument handling. Should this include:
>>
>> Fixes: 3ab5bd317ee2 ("bpf: Set sub->arg_cnt earlier in btf_prepare_func_args()")
> fixes tag is necessary indeed, but please drop 'Reported-by: Sashiko'.
> If we start doing such things every patch will have it.
Thanks. Will add fixes tag and drop 'Reported-by: Sashiko'.
prev parent reply other threads:[~2026-05-15 1:38 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-14 18:48 [PATCH bpf-next 1/2] bpf: Validate outgoing stack args when btf_prepare_func_args fails Yonghong Song
2026-05-14 18:48 ` [PATCH bpf-next 2/2] selftests/bpf: Add test for stack arg read without caller write Yonghong Song
2026-05-14 19:37 ` [PATCH bpf-next 1/2] bpf: Validate outgoing stack args when btf_prepare_func_args fails bot+bpf-ci
2026-05-14 23:53 ` Alexei Starovoitov
2026-05-15 1:38 ` Yonghong Song [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ea3fc76a-42ca-41fb-a589-69bd13b09e03@linux.dev \
--to=yonghong.song@linux.dev \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bot+bpf-ci@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=clm@meta.com \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=ihor.solodrai@linux.dev \
--cc=kernel-team@fb.com \
--cc=martin.lau@kernel.org \
--cc=sashiko-bot@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox